Identity Manager Privacy Policy

VMWARE DATA PRIVACY ADDENDUM

This VMware Data Privacy Addendum (“Privacy Addendum”) applies whenever it is incorporated by reference into the terms of service for a particular VMware Service Offering (“Agreement”).

This Privacy Addendum consists of two parts:

Part I (General Privacy Provisions) applies to all Service Offerings for which this Privacy Addendum is a part of the Agreement; and

Part II (Specific Privacy Provisions) sets out additional service-specific privacy provisions that apply to certain Service Offerings made available by VMware. Where you purchase or use one or more of these Service Offerings, these service-specific privacy provisions will apply in addition to the general privacy provisions in Part I.

PART I: GENERAL PRIVACY PROVISIONS

1. Definitions and Interpretation.

1.1 Definitions. Any capitalized terms used but not defined in this Privacy Addendum will have the meanings given to them in the Agreement. In addition, the following definitions will apply throughout this Privacy Addendum:

(i) “Controller” means an entity that determines the purposes and means of the Processing of Personal Data.

(ii) “Data Breach” means any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, access or other Processing of or to Service Data.

(iii) “Personal Data” means any information relating to an identified or identifiable individual.

(iv) “Processor” means an entity that Processes Personal Data on behalf of a Controller.

(v) “Processing” means any operation or set of operations performed upon Service Data, Relationship Data or Usage Data. The terms "Process" and "Processes" will be construed accordingly.

(vi) “Relationship Data” means any account-related data provided by you to VMware during the purchase, sign up, use or support of your account. Relationship Data may include Personal Data. VMware Processes Relationship Data for the purposes described in Section 3.

(vii) "Service Data" means any data (including any Personal Data) that VMware Processes on your behalf in the course of providing you with the Service. Depending on the Service Offering you purchase or receive, Service Data may include the content of textual, visual, audio, audiovisual, executable or database files that you or your Users upload or otherwise import into the Service Offering. Service Data does not include Usage Data or Relationship Data.

(viii) “Usage Data” means any data (other than Service Data) relating to your consumption of the Service Offering. Usage Data does not include any Personal Data. Usage Data includes, without limitation, information about the amount of computing and storage resources purchased or consumed, User counts, and third party licenses consumed. Usage Data may also include information related to the consumption of optional or third party or co-branded services provided to you through the Service Offering.

1.2 Conflicts. If there is a conflict between: (i) this Privacy Addendum and the terms of service for any Service Offering, then the provisions of this Privacy Addendum will prevail to the extent of that conflict; (ii) Part I (General Privacy Provisions) and Part II (Specific Privacy Provisions) of this Privacy Addendum, then Part II (Specific Privacy Provisions) will prevail to the extent of that conflict; and (iii) this Privacy Addendum and any applicable Third Party Terms, then the applicable Third Party Terms will prevail to the extent of that conflict with respect to the Third Party Content.

2. Service Data.

2.1 Our Role. As between you and us, you are the Controller of Service Data. We Process Service Data only as a Processor on your behalf and for the purposes set forth in the Agreement. We will not disclose Service Data to any third party, except in accordance with this Privacy Addendum or where required by law.

2.2 Your Compliance. You will (i) comply with all applicable privacy and data protection laws with respect to your Processing of Service Data and any Processing instructions you issue to us; and (ii) ensure that you have obtained (or will obtain) all consents and rights necessary for us to Process Service Data in accordance with this Privacy Addendum.

2.3 Security. We will maintain appropriate technical and organizational measures (including administrative, physical and technical safeguards) to protect any Service Data we Process on your behalf. For details of any specific security measures that may apply to the Service Offering you have purchased or receive, please see the relevant security terms for that Service Offering in Part II (Specific Privacy Provisions) of this Privacy Addendum.

2.4 Subprocessing. You agree that we may subcontract Processing of your Service Data to a third party. We will ensure any subcontractor we appoint protects your Service Data in a manner which is substantially similar to the standard that is set forth in this Privacy Addendum. We will be responsible any breaches of this Privacy Addendum that are caused by any such subcontractor.

2.5 Cooperation. During the term of the Agreement we will provide all assistance reasonably required by you (at your expense) to enable you to address any request or complaint received by you from (i) any natural individual whose Personal Data is contained within Service Data that we Process on your behalf or (ii) any applicable data protection authority.

2.6 Data Breach. Upon becoming aware of a Data Breach, we will promptly notify you and will periodically update you of developments relating to the Data Breach. We will use reasonable endeavors to mitigate and, where possible, to remedy the effects of, any Data Breach.

2.7 Data Center Locations. You will select the location where your Service Data will be stored. You consent that we will store Service Data in the location that you choose when you purchase a specific Service Offering. By uploading Service Data into the Service Offering, you acknowledge that you may transfer and access Service Data from around the world, including to and from the location in which Service Data is maintained.

2.8 Data Transfers from the EEA and Switzerland. If you are a customer in the European Economic Area or Switzerland, you acknowledge that we may process your Service Data in countries outside of the European Economic Area and Switzerland. Where this is the case, we will maintain an appropriate US-EU and US-CH Safe Harbor certification with the US Department of Commerce (or an equivalent data export solution).

2.9 Deletion of Service Data. Following expiration of the Agreement, we will endeavor to delete your Service Data within a reasonable period of time, except to the extent we are required to retain any Service Data for compliance with applicable law. If we are unable to delete your Service Data for technical or other reasons, we will apply measures to ensure that your Service Data is blocked from any further Processing.

2.10 Third Party Requests for Service Data. If a third party raises a complaint about or requests access to Service Data, we will attempt to redirect the third party to you. If we are required to respond to a subpoena, court order, warrant, audit or agency action and that occurrence demands that we disclose Service Data, we will promptly notify and provide you with a copy of the demand unless legally prohibited from doing so.

2.11 Protected Health Information. You must not upload into the Service Offering nor include within Service Data any data which is regulated by the United States Health Insurance Portability and Accountability Act unless you have entered into a business associate agreement with VMware.

3. Relationship Data.

3.1 We collect and Process Relationship Data for the following purposes: (i) to provide the Service Offering to you, to manage your account, and to send you notifications and marketing information (including about the availability of our other products and services); (ii) to bill you for purchased services and to provide support; (iii) to enforce compliance with this Privacy Addendum and the Agreement; and (iv) to comply with our contractual obligations and applicable law.

3.2 We are an independent Controller of the Relationship Data we Process. We will Process Relationship Data in compliance with applicable law. We may share Relationship Data with our affiliates and third party service providers that we use for these purposes or as otherwise required or permitted by applicable law.

4. Usage Data.

4.1 We collect and Process Usage Data: (i) to provide the Service Offering to you; (ii) to manage our infrastructure; (iii) to address technical issues with the Service Offering; (iv) to improve VMware products and services; (v) to provide enhanced customer and technical support services; (vi) to personalize your experience and that of your Users; (vii) to provide recommendations on how you may enhance your experience of the Service Offering; (viii) to provide you with information you may use for your own benchmarking efforts; (ix) to provide you with information and recommendations on VMware products and services and the services of our affiliates and our partners; and (x) as otherwise described in this Agreement.

4.2 We are an independent Controller of the Usage data we Process. We will Process Usage Data in compliance with applicable law. We may share Usage Data with our affiliates and third party service providers for these purposes or as otherwise required or permitted by applicable law.

5. Provisions for Specific Data Centers. For Service Offering purchases where you choose a data center located in the countries listed below, the following provisions replace or supplement the referenced sections of this Privacy Addendum, as noted:

5.1 Australian Data Center

5.1.1 Supplement this Part I of the Privacy Addendum with the following additional Section 6 titled “Personal Information”:

6. Personal Information. VMware will comply with the Privacy Act 1988 (Cth) in respect to “personal information” collected by VMware, as defined in that Act, and will comply with its privacy policy available at www.vmware.com/help/privacy.html in respect to such “personal information”.

PART II: SPECIFIC PRIVACY PROVISIONS

This Part II (Specific Privacy Provisions) sets out additional provisions that apply to certain Service Offerings. These provisions will apply in addition to the general privacy provisions in Part I (General Privacy Provisions).

1. Specific Terms for Third Party Content. If you purchase or receive any Third Party Content in connection with your use of the Service Offering, then please note that Third Party Content will be subject to Third Party Terms that are not controlled or otherwise determined by VMware.

2. Specific Terms for vCloud Air. If you purchase or receive any vCloud Air Service Offering, then the following provisions will apply:

(i) Additional Definitions: The term "VMware Infrastructure" will mean: (a) the physical facilities; and (b) those servers, storage devices, networking equipment, and other hardware and software over which we have administrator access or control; in each case to the extent used to provide the Service Offering;

(ii) Interpretation: The term “Service Data” will mean “Your Content” as that term is defined in the vCloud Air Agreement.

(iii) Infrastructure Monitoring: We reserve the right to monitor and administer the VMware Infrastructure so that we can (a) prevent or address service or technical problems; (b) provide customer support; (c) detect, prevent or address fraud, technology or security issues; (d) protect against harm to the rights, property or safety of us, our users or the public; and (e) perform or enforce contractual obligations, or comply with applicable law.

(iv) Security and Audit: vCloud Air has an Information Security Management System (ISMS) in place to assess risks and apply appropriate controls. We engage qualified independent third party auditors to perform examinations on a regular basis against ISO 27001, the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) SOC 1 Type II and SOC 2 Type II and/ or equivalent industry standards throughout the term of the Agreement. Upon request and subject to execution of a non-disclosure agreement in a form acceptable to us, we will provide examination reports issued by the third party auditors.

(v) Deletion and retrieval of data: Before the effective date of the expiration of the Agreement, you should retrieve a copy of Service Data and, if you wish, delete Service Data from the Service Offering. If you do not delete Service Data before your Agreement expires, we will retain Service Data for a period of 90 days following the effective date of that expiration. During this 90-day period, you will not have access to our Service Offering but, on written request, we can either provide you with reasonable assistance (at your cost) to retrieve a copy of Service Data or delete Service Data for you. After this 90-day period, Service Data will be deleted.

3. Specific Terms for vCloud Air SQL. If you purchase or receive the vCloud Air SQL Service Offering from VMware, then the following provisions will apply:

(i) Protected Health Information: You must not upload into the Service Offering nor include within Service Data any data which is regulated by the United States Health Insurance Portability and Accountability Act. For avoidance of doubt, any reference to vCloud Air in a business associate agreement specifically excludes vCloud Air SQL.

(ii) vCloud Air Specific Terms. The specific terms for vCloud Air in Section 2 above are hereby incorporated by reference into this Section 3 for vCloud Air SQL, with the exception of Section 2.4 (Security and Audit) which is hereby replaced with the following for vCloud Air SQL only:

Security and Audit: vCloud Air SQL has an information security management system in place to assess risks and apply appropriate controls.

4. Specific Terms for VMware Identity Manager.If you purchase or receive the VMware Identity Manager Service Offering from VMware, then the following provisions will apply:

(i) Service Data: In the context of the VMware Identity Manager Service Offering, the term "Service Data" means any data (including any Personal Data) that VMware Processes on your behalf in the course of providing you with the Service. In particular, Service Data will include any User attribute data (for example, usernames and access rights) you provide to VMware to receive the Service Offering. Service Data does not include Usage Data or Relationship Data.

(ii) Deletion of Service Data: Following expiration of the Agreement, we will endeavor to delete your Service Data within 60 days, except to the extent we are required to retain any Service Data to comply with applicable law. If we are unable to delete your Service Data for technical or other reasons, we will apply measures to ensure that your Service Data is blocked from any further Processing.

(iii) Data Center Locations: For the purposes of Section 2.7 of this Privacy Addendum, You will be deemed to have chosen the location of where your Service Data will be stored, based on your location. Your Service Data will be stored at the data center(s) described in the VMware Identity Manager “Data Center Locations” page, available at: http://www.vmware.com/identity-manager-location.html.

5. Specific Terms for Horizon Air. If you purchase or receive the Horizon Air Service Offering from VMware, then the following provisions will apply:

(i) Service Data: In the context of the Horizon Air Service Offering, the term “Service Data” means any data (including Personal Data) that VMware Processes on your behalf in the course of providing you with the Service Offering. In particular, Service Data will include browser information, screen resolution, operating system information, application menu navigation information and any other information necessary to deliver the virtual desktop display to Users. Service Data does not include Usage Data or Relationship Data.

(ii) Usage Data: In the context of the Horizon Air Service Offering, the term “Usage Data” means any data relating to the consumption, configuration, performance or features of the Service Offering provided to you. Usage Data includes end user counts, configuration settings, features accessed, technical information relating to devices accessing the Service Offering (including IP addresses, MAC addresses and device identifiers), and performance metrics. VMware Processes Usage Data for the purposes described in Section 4 of Part I of this Privacy Addendum.